/dev/urandom things from the head of an engineer in the Solaris Security Group.

Thursday Jun 26, 2008

What is going on here ?

Surely that editor window on the right hand side is a problem it doesn't have
a sensitivity label on it ?

Answer is in the next picture:

This was a screenshot of Trusted Extensions running in VirtualBox with Seamless Windows mode turned on.The host was OpenSolaris 2008.05 (snv_91). Where I'm going next is to do it other other way around, so that the host is TX and the guest is also TX but with different label encodings.

What this does show is that even when TX is running as a virtualised guest the MLS enforcement for cut and paste still applies. The host was treated as "Trusted Path", which makes perfect sense in this case because it is the "hardware".

Monday Jan 08, 2007

Trusted Extensions (TX) integrated into OpenSolaris before BrandZ did so TX doesn't use the branded zone zones concept. BrandZ wasn't just about providing the ability to run userland Linux code in a Zone it also provided an infrastructure to support different styles of zones, it doesn't even need to be some thing as complex as a Linux zone. There are instructions on the brandz mail alias for creating a Belenix zone hosted on Solaris Express in this cases the branded zone doesn't require a different kernel module.

I think it should be possible to use the BrandZ hooks to avoid the need for doing some of the additional zone creation work that needs to be done manually for TX zones, or via tools like txzonemgr.

Currently lx branded zones (Linux ones) aren't allowed to exist if TX labeling is enabled but that is a different issue than using the BrandZ infrastructure to create TX zones.